Rename security clarification doc file and update README reference#25
Rename security clarification doc file and update README reference#25
Conversation
Co-authored-by: cablate <85614048+cablate@users.noreply.github.com>
…n logs Co-authored-by: cablate <85614048+cablate@users.noreply.github.com>
Co-authored-by: cablate <85614048+cablate@users.noreply.github.com>
Co-authored-by: cablate <85614048+cablate@users.noreply.github.com>
Co-authored-by: cablate <85614048+cablate@users.noreply.github.com>
Co-authored-by: cablate <85614048+cablate@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR aligns repository security documentation naming/references and updates related project metadata/logging to be merge-ready.
Changes:
- Adds/normalizes the standalone security assessment clarification document as
SECURITY_ASSESSMENT.mdand links to it from the README. - Updates request logging to avoid printing API keys.
- Bumps the lockfile package version to
0.0.19.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/core/BaseMcpServer.ts | Replaces API-key-value logging with a non-sensitive log message. |
| package-lock.json | Updates the lockfile’s package version to 0.0.19. |
| SECURITY_ASSESSMENT.md | Adds the security assessment clarifications document under the normalized filename. |
| README.md | Adds a “Security Assessment Clarifications” section linking to the standalone doc. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| const requestApiKey = apiKeyManager.getApiKey(req); | ||
|
|
||
| Logger.log(`${this.serverName} Get API KEY: ${requestApiKey}`) | ||
| Logger.log(`${this.serverName} API key received from request context`); |
There was a problem hiding this comment.
This log line says an API key was received even when requestApiKey can be undefined (when no header/session/default key is set). Consider logging conditionally when a key is actually present, or rewording to something like “API key lookup performed” to avoid misleading/noisy logs on every request.
| Logger.log(`${this.serverName} API key received from request context`); | |
| Logger.log(`[${this.serverName}] API key lookup performed for request context`); |
|
|
||
| For enterprise security reviews, see the standalone document: | ||
|
|
||
| - [Security Assessment Clarifications (23 items)](./SECURITY_ASSESSMENT.md) |
There was a problem hiding this comment.
This README link will work on GitHub, but it will be broken for npm consumers because package.json publishes only dist/** and README.md (the SECURITY_ASSESSMENT.md file is not included in the package contents). Either include SECURITY_ASSESSMENT.md in the published files list, or change this link to a GitHub URL.
| - [Security Assessment Clarifications (23 items)](./SECURITY_ASSESSMENT.md) | |
| - [Security Assessment Clarifications (23 items)](https://github.com/cablate/mcp-google-map/blob/main/SECURITY_ASSESSMENT.md) |
The issue requested a filename cleanup so the branch is merge-ready. The document content was already correct; only the file naming/reference mismatch remained.
Filename normalization
SECURITY_ASSESSMENT_ZH.md→SECURITY_ASSESSMENT.mdReference alignment
README.mdto point to the new filename.✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.